TFLAG:Towards Practical APT Detection via Deviation-Aware Learning on Temporal Provenance Graph

TL;DR

TFLAG is a novel framework that combines temporal graph modeling and deviation networks to detect covert APT activities by capturing subtle structural changes in provenance graphs without requiring labeled data.

Contribution

It introduces a self-supervised, deviation-aware learning approach that integrates dynamic temporal graph analysis with anomaly detection for practical APT identification.

Findings

Achieves higher accuracy than state-of-the-art methods in detecting APT attack windows.

Effectively distinguishes between attack activities and false positives using temporal and attribute data.

Demonstrates robustness in identifying covert attack behaviors without prior labeled data.

Abstract

Advanced Persistent Threat (APT) have grown increasingly complex and concealed, posing formidable challenges to existing Intrusion Detection Systems in identifying and mitigating these attacks. Recent studies have incorporated graph learning techniques to extract detailed information from provenance graphs, enabling the detection of attacks with greater granularity. Nevertheless, existing studies have largely overlooked the continuous yet subtle temporal variations in the structure of provenance graphs, which may correspond to surreptitious perturbation anomalies in ongoing APT attacks. Therefore, we introduce TFLAG, an advanced anomaly detection framework that for the first time integrates the structural dynamic extraction capabilities of temporal graph model with the anomaly delineation abilities of deviation networks to pinpoint covert attack activities in provenance graphs. This self-supervised integration framework leverages the graph model to extract neighbor interaction data under continuous temporal changes from historical benign behaviors within provenance graphs, while simultaneously utilizing deviation networks to accurately distinguish authentic attack activities from false positive deviations due to unexpected subtle perturbations. The experimental results indicate that, through a comprehensive design that utilizes both attribute and temporal information, it can accurately identify the time windows associated with APT attack behaviors without prior knowledge (e.g., labeled data samples), demonstrating superior accuracy compared to current state-of-the-art methods in differentiating between attack events and system false positive events.